I just got this email purporting to be from PayPal. I don’t believe the email.
Dear valued PayPal member: It has come to our attention that your PayPal account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records on or before July 06, 2007. Once you have updated your account records, your PayPal session will not be interrupted and will continue as normal. To update your PayPal records click on the following link: http://126.96.36.199/updateusersonlinesecurity.html Thank You. PayPal UPDATE TEAM
What makes me think it is a fake? The URL does not contain PayPal’s domain name. It is a simple IP address.
So, who owns the IP Address?
OrgName: Road Runner HoldCo LLC OrgID: RRSW Address: 13241 Woodland Park Road City: HerndonState Prov: VA PostalCode: 20171 Country: US
And what about the real PayPal. Their IP Address is 188.8.131.52.
Also, the email didn’t have my address in the “TO” box (So I’m guessing all the recipients were BCC’d into the list) and the reply address is firstname.lastname@example.org.
I have sent an appropriate email to Road Runner letting them know that someone is using their servers to host phishing sites. Hopefully it can be taken down promptly to prevent any less savvy people falling victim to this really quite amaturish attempt at a phishing scam.
Tags: phishing scam paypal road runner rr
I believe RoadRunner are an ISP. That’s probably a DSL customer. Whether the customer are themselves committing the scam, or they’re a zombie, I don’t know. I wouldn’t be too surprised if infected machines weren’t merely used to send the scam emails but also to collect the results. Fewer links back to the perpetrator.
I would guess that you are right. It is most likely to be a zombie machine.
This very IP is also the one hacking (or attempting to hack) into SQL servers. It is a computer that is running a program trying out all possible login names, and of course with each login name, various passwords. If you are running SQL server, ensure that you check your Event Viewer, and the chances are that you will find the IP listed (don’t forget to deny access for it)